Inference  Management:  Trust  and  Obfuscation 

in  Coalition  Settings 

Chatschik  Bisdikian^,  Murat  Sensoy*,  Nir  Oren*,  Christopher  Burnett* 

Timothy  J.  Norman*,  Mani  B.  Srivastava§  and  Lance  Kaplan^ 

^T.  J.  Watson  IBM  Research  Center,  New  York,  USA 
*  University  of  Aberdeen,  Aberdeen,  UK 
§  University  of  California,  Los  Angeles,  USA 
^US  Army  Research  Laboratory,  Adelphi,  MD,  USA 


Abstract — In  modern  coalition  operations,  decision  makers 
must  be  capable  of  obtaining  and  fusing  information  from  diverse 
sources.  The  reliability  of  these  sources  can  vary,  and,  in  order 
to  protect  their  interests,  the  information  they  provide  could  be 
altered,  e.g.,  obfuscated,  to  limit  the  inferences  that  can  be  made 
with  it.  The  trustworthiness  of  fused  information  depends  on  both 
the  reliability  of  these  sources  and  their  inference  management 
policies.  Information  consumers  must  determine  how  to  evaluate 
trust  in  the  presence  of  inference  management  techniques,  such 
as  obfuscation,  while  information  providers  must  determine  the 
appropriate  level  of  obfuscation  in  order  to  ensure  both  that  they 
remain  trusted,  and  do  not  reveal  any  private  information.  In  this 
paper,  we  present  and  formalise  trust  in  the  context  of  inference 
management  and  discuss  the  relationships  between  the  two.  We 
illustration  the  pertinent  concepts  via  a  multi-party  coalition 
scenario,  and  present  numerical  examples,  using  subjective  logic 
computational  techniques,  of  how  trust  and  obfuscation  can 
influence  belief  levels  in  information  gathered. 

I.  Introduction 

In  “traditional”  sensing  applications,  such  as  localization, 
monitoring,  and  identification,  sensing  systems  are  deployed 
to  support  and  enhance  one’s  capabilities  to  observe  the  world 
of  interest  and  estimate  its  state.  Typically,  these  sensor- 
enabled  applications  (which  act  as  information  consumers , 
or,  simply  consumers)  are  deployed  along  with  their  own 
dedicated  sensing  resources  for  making  the  observations  that 
they  consume  (i.e.,  process).  In  these  tightly-coupled  (closed) 
deployments,  the  consumer  has  reasonable  knowledge  of  (or 
access  to)  the  capabilities  and  deficiencies  of  the  deployed 
sensing  resources.  Figure  1  shows  at  a  high-level  the  structure 
of  a  traditional  sensor-driven  “inference”  system  that  makes 
inferences  regarding  the  world  under  observation. 

In  the  context  of  modern  coalition  operations,  new  sens¬ 
ing  opportunities  and  information  collection  paradigms  have 
proliferated.  Tasks  like  providing  humanitarian  relief  to  the 
injured  after  a  disaster  or  defeating  insurgents  in  a  war- torn 
country  require  a  collaborative  effort  of  different  organiza¬ 
tions  (e.g.,  non-governmental  organizations(NGOs)  and  the 
military).  To  achieve  these  tasks,  critical  information-such  as 
the  location  of  injured  people-has  to  be  sensed  and  exchanged 
between  information  providers  and  consumers  under  different 

This  work  was  presented  at  the  SPIE  Defense,  Security,  and  Sensing 
Symposium,  Baltimore,  MD,  USA,  April  23-27,  2012. 


Fig.  1:  A  traditional  (tightly-coupled)  sensor-enabled  inference 
system. 


administrative  domains.  In  these  cases,  the  closed,  single- 
administrative-domain  association  between  the  information 
producers  and  consumers  is  challenged  by  more  open  and 
hence  more  complex  and  unpredictable  collaborative  multi- 
administrative  (and  even  no-administrative)  domain  associa¬ 
tions.  Knowledge  of  the  capabilities  of  sensing  entities  can  be 
unavailable  and  unknown,  or  policy-constrained,  and  certainly 
of  questionable  reliance.  In  addition,  shared  information  can 
be  deliberately  manipulated  for  various  reasons.  As  a  result,  it 
becomes  harder  to  quantify  the  value  of  the  fused  information 
and  the  risks  associated  with  acting  on  subsequent  inferences. 

Figure  2  shows  an  example  of  a  collaborative,  end-to- 
end  information  processing  system  where  the  information 
providers  and  consumers  interact  only  as  necessary.  In  such 
a  setting,  policies  that  affect  the  sharing  of  information, 
including  any  deliberate  alteration  of  it  through  techniques 
such  as  obfuscation  [1],  and  the  underlying  trust  between 
the  parties  involved,  play  a  key  role  in  mediating  effective 
collaboration. 

Naturally,  transacting  parties  in  these  loosely-coupled  col¬ 
laborative  settings  are  primarily  concerned  with  whether 
the  information  exchanged  between  them,  and  its  quality 
(Qol)  [2],  are  sufficient  to  satisfy  their  needs.  However,  there  is 
a  secondary  concern  as  to  whether  the  exchanged  information, 


Form  Approved 
OMB  No.  0704-0188 


Report  Documentation  Page 


Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 


1.  REPORT  DATE 

20  SEP  2012 

2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2012  to  00-00-2012 

4.  TITLE  AND  SUBTITLE 

Inference  Management:  Trust  and  Obfuscation  in  Coalition  Settings 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

IBM  T.J.  Watson  Research  Center, 19  Skyline 

Drive, Hawthorne, NY, 10532 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS (ES) 

10.  SPONSOR/MONITOR’S  ACRONYM(S) 

11.  SPONSOR/MONITOR’S  REPORT 
NUMBER(S) 


12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

Presented  at  the  Annual  Conference  of  International  Technology  Alliance  (ACITA)  2012  held  17-21  Sep  in 
Southampton,  UK.  U.S.  Government  or  Federal  Rights  License 

14.  ABSTRACT 

In  modern  coalition  operations,  decision  makers  must  be  capable  of  obtaining  and  fusing  information  from 
diverse  sources.  The  reliability  of  these  sources  can  vary,  and,  in  order  to  protect  their  interests,  the 
information  they  provide  could  be  altered,  e.g.,  obfuscated,  to  limit  the  inferences  that  can  be  made  with  it. 
The  trustworthiness  of  fused  information  depends  on  both  the  reliability  of  these  sources  and  their 
inference  management  policies.  Information  consumers  must  determine  how  to  evaluate  trust  in  the 
presence  of  inference  management  techniques,  such  as  obfuscation,  while  information  providers  must 
determine  the  appropriate  level  of  obfuscation  in  order  to  ensure  both  that  they  remain  trusted,  and  do  not 
reveal  any  private  information.  In  this  paper,  we  present  and  formalise  trust  in  the  context  of  inference 
management  and  discuss  the  relationships  between  the  two.  We  illustration  the  pertinent  concepts  via  a 
multi-party  coalition  scenario,  and  present  numerical  examples,  using  subjective  logic  computational 
techniques,  of  how  trust  and  obfuscation  can  influence  belief  levels  in  information  gathered. 


15.  SUBJECT  TERMS 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

18.  NUMBER 
OF  PAGES 

19a.  NAME  OF 
RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Same  as 
Report  (SAR) 

8 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Fig.  2:  A  loosely-coupled,  collaborative  end-to-end  inference 
system. 


as  a  whole  or  in  part,  will  be  utilized  only  for  some  stated 
or  implied  purpose,  and  not  for  some  other,  possibly  illicit, 
ends.  In  this  context,  obfuscation  serves  as  a  mechanism  for 
protecting  against  the  inappropriate  use  of  shared  information. 
It  is  one  of  the  process  by  which  information  providers  delib¬ 
erately  conceal  and  in  general  alter  aspects  of  the  information 
they  provide  to  protect  sensitive  information  by  affecting  the 
ability  of  making  certain  inferences  while  allowing  infor¬ 
mation  consumers  to  still  hopefully  derive  value  from  the 
information  they  receive  [1].  These  techniques  can  range  from 
manipulating  the  information  content  directly,  e.g.,  removing 
a  name  entry  from  an  information  record;  translating,  gener¬ 
alizing,  or  adding  noise  to  a  location  entry;  altering  features 
or  dimensionality  of  the  information,  e.g.,  truncating  Fourier 
coefficients,  concealing  variance  information,  etc.  They  aim  to 
influence,  i.e.,  manage ,  the  set  of  inferences  that  can  be  made 
with  [the  parts  of]  the  information  shared.  In  this  paper,  we 
will  summarily  refer  to  such  inference  managing  techniques 
as  obfuscation ,  even  though,  strictly  speaking,  obfuscation 
(e.g.,  as  in  [1])  typically  refers  to  a  specific  subset  of  these 
techniques. 

This  paper  builds  upon  our  early  work  on  trust  and  ob¬ 
fuscation  [3]  where  we  introduced  and  defined  the  pertinent 
concepts  and  terminology.  In  this  paper,  we  take  these  early 
concepts  and  instantiate  them  through  a  concrete  usage  sce¬ 
nario  drawn  from  the  area  of  combined  military  coalition 
and  humanitarian  aid  operations.  More  specifically,  while  we 
borrow  from  our  previous  work  [3]  as  necessary  to  provide 
context,  the  main  contribution  in  this  paper  is  enriching  our 
previous  work  through  the  development  and  presentation  of 
an  exemplar  case  where  a  number  of  actors  in  the  context 
of  the  aforementioned  scenario  share  information  for  various 
purposes.  We  show  how  evidential  analysis  techniques  can  be 
employed  to  ascribe  levels  of  belief  to  outgoing  (derivative) 
pieces  of  information  when  fusing  incoming  information  that 
was  shared  by  actors  of  varying  trust  levels.  We  also  discuss 
how  the  quality  of  the  derivative  information  can  negatively 


effect  the  trust  and  propose  methods  to  avoid  this. 

The  organization  of  the  paper  is  as  follows.  Section  II 
introduces  our  scenario.  Section  III  defines  and  discusses  trust 
and  obfuscation  from  different  perspectives  through  examples 
based  on  the  introduced  scenario  and  Subjective  Logic  [4]. 
Section  V  discusses  the  interplay  between  trust  and  obfusca¬ 
tion.  Lastly,  Section  VI  concludes  the  paper. 

II.  Example  Scenario 

In  this  section,  we  describe  a  simple  scenario  that  will  be 
used  to  describe  the  relationship  between  obfuscation  and  trust 
in  the  remainder  of  this  paper.  Consider  a  situation  in  which 
a  military  coalition  from  two  nations,  A  and  B  are  attempting 
to  stabilise  a  war-torn  country,  coming  up  against  insurgent 
forces  T.  We  assume  that  the  coalition  has  operated  in  the 
country  for  some  time,  and  has  begun  training  up  a  local 
army,  which  we  denote  by  C.  At  the  same  time,  humanitarian 
organisations  (denoted  by  7 Z)  are  attempting  to  provide  aid  to 
civilians  within  the  country,  while  a  news  agency  A f  broadcasts 
information  from  anonymous  sources  in  the  area. 

Now  in  order  to  act  as  efficiently  as  possible,  the  human¬ 
itarian  organisation  must  interact  with  all  other  actors  in  the 
environment.  On  the  other  hand,  A  and  B  have  no  formal 
contact  with  J 7  while  they  suspect  that  C  may  have  been 
infiltrated  by  some  elements  of  T .  It  should  be  clear  that  A 
and  B  have  a  high  level  of  trust  between  them,  and  that  while 
C  has  a  high  level  of  trust  in  both  members  of  the  coalition,  A 
and  B  do  not  trust  C  as  much  (the  concept  of  trust  is  discussed 
more  formally  in  Section  III).  The  trust  relationships  between 
the  parties  are  summarized  in  Figure  3,  where  the  thickness 
of  the  directed  edges  represents  the  degree  of  trust  the  edge 
source  assigns  the  edge  target. 

The  type  of  trust  we  have  discussed  so  far  is  to  some  extent 
universal.  For  example,  members  of  the  military  coalition  (A 
and  B)  trust  each  other  in  all  contexts.  The  military  coalition 
has  little  trust  in  C  and  7 Z  as  information  providers,  but 
places  a  high  degree  of  trust  in  the  information  provided 
by  AT.  However,  C,  AT,  and  1Z  trust  the  coalition  as  an 
information  provider.  Although  insurgents  (J7)  are  enemies 
of  both  the  military  coalition  ( A  and  B)  and  the  local  army 
C,  they  may  leak  some  useful  information  to  humanitarian 
organisations  ( 1Z ),  the  local  army  (C),  and  the  news  agency 
(AT).  For  instance,  to  avoid  extreme  reactions  due  to  civilian 
casualties,  T  may  warn  1Z  about  the  regions  with  high  IED 
concentrations.  In  these  situations,  7 Z  may  trust  T  with  regard 
to  information  about  potential  IEDs,  but  little  else. 

III.  Trust  and  Obfuscation  Definitions 

Sensor-enabled  applications  collect  sensory  information 
about  their  “world”  (i.e.,  surroundings)  to  support  reasoning 
and  inferences  about  the  world’s  state  and  the  evolution  of 
alternatives.  The  significance  and  effectiveness  of  the  infer¬ 
ences  made  and  of  the  ensuing  actions  taken  depend  on  the 
quality  of  information  received  and  the  value  it  brings  to 
the  tasks  at  hand  [3].  These  in  turn  are  influenced  by  the 
relationships  that  are  developed  between  information  providers 


Fig.  3:  Trust  relationships  between  parties. 


and  consumers.  Now  these  relationships  described  by  levels  of 
trust  and  instantiated  (at  least,  in  part)  by  obfuscation.  In  this 
section  we  examine  these  concepts  more  closely  and  define 
them. 

A.  The  consumer’s  view  of  trust 

Trust  can  be  broadly  defined  as  the  willingness  of  one 
party  (the  trustor )  to  rely  on  the  actions  of  another  party  (the 
trustee)  [5].  Trust  is  critical  in  enabling  interactions  between 
parties  in  uncertain  and  constantly  changing  environments. 
In  our  case,  these  parties  are  the  information  consumers  and 
providers.  For  a  consumer,  we  define  trust  as  follows: 

Definition  1:  Trust  (from  the  consumer’s  viewpoint)  repre¬ 
sents  the  consumer’s  degree  of  belief  that  she  can  rely  on  the 
information  that  a  provider  has  provided  her  with.  I 

Although  not  necessarily  tied  to,  the  reference  to  “degrees  of 
belief”  in  the  above  definition  allows  us  to  naturally  leverage 
the  rich  modeling  and  computational  toolsets  developed  for 
belief-based  analysis.  We  would  shortly  show  some  of  these 
based  on  subjective  logic  techniques. 

If  a  consumer  has  a  low  level  of  trust  in  the  information 
it  receives,  ensuing  inferences  may  be  considered  unreliable. 
Trust  in  a  body  of  available  information  is  influenced  by 
many  factors.  These  include  the  means  by  which  information 
has  been  collected,  i.e.,  its  provenance,  or  how  different 
pieces  of  information  relate  to,  and  corroborate  each  other, 
i.e.,  consistency  in  the  body  of  information.  For  example,  if 
information  derived  from  a  third-party  provider  conflicts  with 
established  facts  and  knowledge,  then  the  level  of  trust  in,  and 
the  value  subsequently  ascribed  to  such  information  would  be 
low. 

1)  Trust  modeling  and  assessment  with  subjective  logic: 
In  the  literature,  trust  is  most  often  described  from  the  con¬ 
sumers’  point  of  view  [6].  Most  trust  and  reputation  systems 
model  the  consumer’s  trust  in  a  provider  via  logic-based  or 
probabilistic  approaches  [6].  A  well-established  framework 
for  trust  in  this  context  is  Subjective  Logic  ( SL )  [4].  In 
subjective  logic,  the  opinion  of  an  information  consumer 
c  about  the  validity  of  a  proposition  a  is  represented  as 
wa  =  where  b represents  c’s  belief  in  a ,  dca 

represents  c’s  disbelief  in  a ,  u represents  c’s  uncertainty 


about  a ,  and  b^  +  +  uca  =  1.  Applying  this  to  our 

definitions,  let  p  be  an  information  provider  and  a  be  the 
proposition  “p  is  trustworthy.”  Given  this,  represents  the 

opinion  of  c  about  the  trustworthiness  of  p.  Opinions  about  the 
trustworthiness  of  information  providers  could  be  hard-coded 
or  dynamically  computed  over  time.  For  instance,  can  be 
computed  based  on  Equation  1 ,  where  r  is  proportional  to  the 
amount  of  positive  evidence  for  a  (i.e.,  number  of  times  p  has 
provided  satisfactory  information),  and  8  is  proportional  to  the 
amount  of  negative  evidence  (e.g.,  number  of  times  p  failed 
to  provide  satisfactory  information).  W  >  2  is  then  a  constant 
representing  the  non-informative  prior  weight. 

r  s  W 

hc  =  _ - _  dc  =  _ - _  uc  =  _ — _  (1) 

a  r  +  s  +  VF’  a  r  +  8  +  VF’  a  r  +  s  +  W 

Naturally,  trust  in  information  providers  affects  the  trust  in 
the  information  they  produce.  If  a  provider  has  historically 
behaved  in  an  untrustworthy  manner,  for  example  due  to  the 
consistent  use  of  inappropriate  or  faulty  sensors  to  gather 
information,  any  subsequent  information  provided  may  also 
be  considered  untrustworthy.  Hence,  the  trust  in  providers  and 
the  information  they  produce  are  both  highly  correlated  and 
build  upon  each  other.  SL  exploits  this  correlation  through 
the  discounting  operator  ®.  Let  wp^  be  the  opinion  of  p 
about  proposition  /3.  If  p  shares  its  opinion  with  c,  the 
provided  opinion  is  converted  to  a  normalised  opinion  (i.e., 
wCp)  based  on  c’s  opinion  about  the  trustworthiness  of  p  (for 
convenience  represented  as  wcv  instead  of  as  in  Equation  2. 
This  equation  emphasizes  that  distrust  with  regards  to  p  and 
uncertainty  about  the  trustworthiness  of  p  both  contribute  to 
the  uncertainty  about  ucp. 


wj  =WCP®WP0  =  (bf ,  dj ,  uj) 
bp  =  bp  x  tip 
dj  =  bp  x  dp0 
ucp  =  dp  +  Up  +  bp  x  Up 


(2) 


Trust  with  respect  to  information  cannot  always  be  derived 
from  trust  regarding  the  information  source.  For  example, 
when  information  is  provided  by  a  third-party  information 
aggregator,  provenance  information  is  required  in  order  to 
make  the  derivation,  and  often,  such  information  may  be 
incomplete  or  absent  altogether. 

As  described  above,  frameworks  such  as  SL  allow  for 
the  expression  of  uncertainty  about  propositions.  Now  when 
various  opinions  about  a  phenomenon  or  object  exist,  such 
uncertainties  are  critical  in  deriving  a  fused  opinion  from  the 
individual  opinions.  SL  provides  several  operators  for  such 
fusion,  including  the  consensus  operator  0  which  is  used  to 
fuse  opinions  about  (3  from  information  sources  Si  and  Sj 
as  defined  by  Equations  3  and  4.  These  equations  imply  that 
the  more  uncertainty  one  has  about  some  individual  piece  of 
information,  the  less  it  affects  the  overall  fused  opinion.  A 
provider  could  therefore  mitigate  the  distrust  placed  in  it  due 
to  poor  information  reporting  by  associating  a  high  degree 
of  uncertainty  with  this  information.  Such  highly  uncertain 


information  will  limit  the  weight  the  consumer  will  assign 
to  it  during  fusion,  preventing  them  from  being  misled  when 
making  decisions  based  on  this  information. 

wCpSt,s wCpSi  0  wCp3  =  ( wcs .  0  w*p)  0  (wcs.  0  wSp  )  (3) 

wf]  =wl®wb0  =  (ba0’b,da0’b,Up’b) 

bf’b)  =  {b%  x  ub0  +  bbp  X  «^)/« 

=  (djg  xtijldjx  U%)IK  (4) 

4a’6)  =  K  x  M/?)/K 

ft  =  uap  +  ubp  —  vfp  X 

/?.  Obfuscation  and  the  provider’s  view  of  trust 

The  dictionary  definition  of  obfuscation  is  “to  make  so  con¬ 
fused  or  opaque  as  to  be  difficult  to  perceive  or  understand”1. 
Common  examples  of  obfuscation  include  GPS’s  selective 
availability,  where  adding  noise  and  witholding  certain  data 
results  in  only  low-accuracy  location  and  time  information 
being  made  available  to  civilian  users.  Similarly,  civilian  users 
can  often  access  only  low  resolution  satellite  imagery,  whereas 
others  could  be  provided  with  more  fine  grained  images. 

In  computing,  obfuscation  refers  to  the  process  of  hiding 
certain  data,  while  maintaining  the  usefulness  of  the  data  for 
an  intended  purpose,  i.e.,  allowing  authorized  inferences  [1]. 
It  has  typically  been  used  to  prevent  leakage  of  personal 
information  that  would,  for  example,  enable  the  identification 
of  a  patient  in  medical  records,  or  the  identification  of  a 
person  and/or  creating  permanent  records  of  a  person’s  exact 
location  when  location-based  information  is  made  available 
to  third  parties  for  marketing  purposes.  Techniques  such  as 
anonymization  and  location  abstraction  are  commonly  used 
for  this  purpose  [1],  [7]. 

However,  when  opportunities  abound  for  collecting  and 
fusing  information  derived  from  multiple  providers  (including 
physical  sensors,  knowledge  bases,  human  observers,  experts, 
etc.),  sufficient  knowledge  may  be  gained  and  inferences 
drawn  that  could  go  beyond  the  intentions  that  caused  the 
gathering  of  information  in  the  first  place.  For  instance,  by 
providing  NGOs  with  dates  of  danger  for  civilians  in  an  area, 
the  military  coalition  may  implicitly  enable  NGOs  to  reason 
about  the  dates  of  military  operations  in  the  area.  This  leads 
us  directly  to  the  provider’s  view  of  trust,  which  we  define  as 
follows. 

Definition  2:  Trust  (from  a  provider’s  view)  represents  the 
provider’s  degree  of  belief  that  a  consumer  will  use  her 
information  only  for  expressed  purposes.  I 

This  definition  suggests  that  obfuscation  can  be  used  not 
only  to  protect  a  specific  piece  of  information  such  as  the 
position  of  an  object  of  interest,  but  also  meta-information 
regarding  the  domain,  such  as  the  capabilities  of  some  sensors. 


In  the  context  of  the  coalition  operations  wherein  coalition 
members  develop  ad  hoc  and  transient  alliance  relationships, 
partners  may  desire  to  share  localisation  information.  Now 
assume  that  one  partner  has  high  quality  sensor  resources  and 
would  like  to  provide  another  partner  with  the  information 
gathered  from  these  sensors,  without  revealing  the  location  and 
nature  of  these  sensors.  Obfuscation  could  be  used  to  hide  this 
latter  meta-information  while  no  obfuscation  would  take  place 
Therefore,  we  can  define  obfuscation  more  broadly  as  follows: 

Definition  3:  Obfuscation  is  the  process  that  an  information 
provider  uses  to  consciously  influence  the  set  of  inferences  that 
could  be  made  involving  the  information  she  provides.  I 

The  above  definition  underscores  our  broader  view  about 
obfuscation  mentioned  in  the  Introduction.  It  focuses  on  the 
ultimate  intention  of  a  provider  to  manage  the  inferences  that 
can  be  made  with  the  information  it  shares  with  an  aim  to 
deliberately  control  the  range  of  uses  that  the  shared  informa¬ 
tion  may  have.  Figure  4  comprises  a  conceptual  representation 
for  this  situation.  It  depicts  an  area  X,  called  inference  space , 
representing  the  set  of  all  possible  inferences  (or,  hypotheses) 
that  can  be  asserted.  The  latter  should  be  interpreted  within 
the  general  context  of  the  interactions  between  the  information 
suppliers  and  providers.  Certain  subsets  of  these  inferences 
may  be  more  critical  to  an  information  provider  than  others 
possibly  entailing  an  uncomfortably  high  level  of  risk  for  the 
provider.  These  critical  inference  subsets  are  represented  by 
the  red  region  on  the  right,  while  the  green  region  on  the 
left  represents  risk-free  inferences.  As  an  example,  the  red 
region  could  contain  information  revealing  the  whereabouts 
and/or  assets  of  a  specific  very  important  person.  The  figure 
also  shows  an  inference  region  Rd  representing  the  region 
of  inferences  a  consumer  has  expressed  a  desire  for  and  was 
the  reason  for  a  particular  act  of  information  sharing.  For 
a  piece  of  information  X  that  is  shared,  the  figure  shows 
the  subset  of  inferences  Rx  that  can  be  deduced  from  X. 
Clearly,  X  will  be  of  value  to  the  consumer  if  Rd  and  Rx 
intersect;  the  figure  shows  a  case  where  Rd  C  Rx •  Should 
some  of  these  inferences  in  Rx  fall  with  the  critical  reddish 
area,  the  provider  may  instead  decide  to  share  an  obfuscated 
version  Z  =  h(X)  (e.g.,  Z  could  be  a  noisier,  translated 
or  dimensionally-diminished  variant  of  X)  which  leads  to  a 
corresponding  inference  region  Rz  located  away  from  the  red 
area.  Likewise,  Rz  would  be  of  value  to  the  consumer  if  Rd 
intersects  with  Rz . 

The  transformation  of  inference  regions  due  to  the  obfus¬ 
cation  may  imply  strict  disallowance  of  certain  inferences.  It 
may  also  imply  the  mere  modification  of  the  likelihood  that, 
using  the  shared  information,  a  particular  inference  can  be 
made  with  an  acceptable  level  of  confidence.  As  such,  the 
level  of  confidence  in  the  inferences  made  using  0  may  not 
be  the  same  as  those  made  using  X  even  for  inferences  that 
fall  within  region  Rd.  Therefore,  the  value  of  information  that 
the  consumer  obtains  when  using  the  obfuscated  information 
Z  could  be  lower  than  when  using  X. 


http://www.  thef reedictionary.  com 


inferences  for  which  information  was 

inferences  that  can  be  asserted  when 
- f: - 

desired  and  sought  after/shared 

< -  - 

less  critical  inferences  more  critical  inferences 


Fig.  4:  An  illustrative  example  of  influencing  inferences  that  can  be  made. 


IV.  Numerical  examples 

In  this  section,  we  give  examples  from  our  scenario  to 
demonstrate  the  concepts  introduced  in  the  previous  sections. 

A.  Trustworthiness  of  information  providers 

In  our  scenario,  the  local  army  C  places  a  high  level  of  trust 
in  the  information  that  it  receives  from  the  coalition  members 
A  and  S,  however,  the  coalition  members  do  not  place  as  much 
trust  in  information  they  receive  from  C.  The  evidence  against 
C s  trustworthiness  as  an  information  provider  could  be  based 
on  invalid/inconsistent/misleading  information  it  provided  in 
the  past. 

For  example,  suppose  C  (the  local  army)  provides  to  the 
coalition  members  the  intelligence  report  i  “insurgents  will 
attack  city  X  on  day  D ”  with  an  expressed  opinion  wf  = 
(0.9, 0.0, 0.1),  signifying  a  high  level  of  confidence  in  the 
validity  of  the  report.  If,  at  some  point,  the  coalition  finds 
that  this  intelligence  report  was  false,  the  provided  information 
becomes  significant  evidence  against  C’s  trustworthiness.  On 
the  other  hand,  if  the  opinion  shared  by  C  had  much  more 
uncertainty  (e.g.,  (0.5,  0.0,  0.5)),  the  false  intelligence  would 
not  act  as  significant  evidence  against  C’s  trustworthiness  as 
an  information  provider,  and  would  not  impact  on  A  and  S’s 
trust  in  C  as  much. 

The  military  coalition  in  our  scenario  may  provide  infor¬ 
mation  with  high  variance  or  uncertainty,  which  may  still 
perceived  as  trustworthy  by  the  NGOs  and  the  local  army, 
provided  that  the  high  variance  or  uncertainty  in  the  informa¬ 
tion  was  clearly  stated  by  the  provider  and  understood  by  the 
consumer.  In  other  words,  even  if  the  information  provided 
may  not  have  been  of  high  quality,  the  provider  was  trusted 
in  that  it  did  not  conceal  its  low  quality. 

Assume  that  the  military  coalition  has  provided  its  opinion 
to  NGOs  about  the  proposition  P{ao:d0}  “there  is  a  danger 


in  area  ao  on  date  do”  as  1  =  (0.29,0.01,0.7).  If  it 

turns  out  that  there  was  no  danger  on  date  do  in  the  area  ao, 
the  trustworthiness  of  the  military  by  the  NGO  would  not  be 
greatly  reduced  due  to  the  high  degree  of  uncertainty  of  this 
proposition. 

Now  let  us  assume  that  the  news  agency  M  disseminates 
information  from  anonymous  sources.  Reliability  of  the  in¬ 
formation  cannot  be  measured  easily.  Even  though  the  actual 
information  source  may  be  reliable,  since  the  source  is  kept 
anonymous  by  A7,  the  information  from  J\f  is  regarded  as 
untrustworthy  by  the  military  coalition  in  our  scenario.  This 
could  be  due  to  a  policy  adopted  by  the  coalition  stating  that 
any  anonymous  information  is  untrustworthy.  However,  C,  7Z, 
and  T  may  have  a  much  more  relaxed  trust  policies  about 
anonymous  information  sources.  Hence,  their  trust  in  J\f  may 
vary  based  on  their  own  assessment  of  the  information  and 
their  own  trust  criteria  (e.g.,  evidence  for/against). 

The  computed  trust  plays  a  significant  role  during  infor¬ 
mation  fusion.  If  1Z  receives  conflicting  opinions  from  C  and 
the  military  coalition,  it  firstly  normalises  these  opinions  using 
the  discounting  operator  in  Equation  2  and  fuses  them  using 
the  consensus  operator  in  Equation  4.  For  instance,  let  w ^  = 
(0.9,  0.0,  0.1)  and  =  (0.2,  0.6,  0.2)  be  opinions  of  the  news 
agency  and  the  local  army  about  some  event  5.  Assume  these 
very  different  options  are  received  by  1Z  whose  degree  of  trust 
in  J\f  and  C  are  represented  as  opinions  wfy  =  (0.4,  0.2,  0.4) 
and  w =  (0.7,  0.1,  0.2),  respectively.  After  normalisation 
based  on  trust,  the  opinions  become  =  (0.36,  0.0,  0.64) 
and  w^c  =  (0.14,  0.42,  0.44).  These  two  normalised  opinions 
are  fused  as  =  (0.31, 0.34, 0.35).  The  overall  opinion 

about  5  is  significantly  more  influenced  by  the  opinion  of  C 
since  thanks  to  its  higher  trustworthiness  with  regards  to  1Z.  To 
clearly  demonstrate  this  influence,  Figure  5,  shows 
as  a  functions  of  the  opinion  of  1Z  about  J\f  and  C.  Specifically, 


(a)  Belief  of  7Z  in  Af  vs.  b^N,C^ 


(b)  Belief  of  1Z  in  C  vs.  b^N,C\ 

Fig.  5:  How  belief  of  TZ  in  5  changes  as  its  belief  in  Af  and  C  varies. 


Figure  5a  shows  against  the  belief  of  TZ  in  Af  and 

Figure  5b  shows  w against  the  belief  of  TZ  in  C.  In 
the  figures,  we  highlight  the  specific  values  from  the  example 
above  using  arrows. 

B.  Trustworthiness  of  consumers  and  obfuscation 

In  our  example  scenario,  military  coalition  members  A 
and  B  would  (typically)  have  no  problem  sharing  operational 
information  with  each  other,  but  would  prefer  not  to  give  C 
and  7 Z  all  this  information,  as  this  could  allow  T  to  obtain 
these  details.  However,  some  information  must  occasionally 
be  shared  (for  example  to  protect  civilians  from  being  caught 
up  in  operations).  Therefore,  the  coalition  might  inform  TZ 
that  they  should  not  enter  some  city  between  certain  dates 
while  having  full  knowledge  of  when  they  would  conduct 
some  operation  in  that  city,  and  precisely  which  area  of  the 
city  this  operation  would  be  conducted  in.  The  coalition  might 
obfuscate  details  of  the  attack  further  by  giving  a  selection  of 


cities  rather  than  a  single  one,  together  with  a  range  of  dates. 

This  represents  an  example  of  obfuscation  by  abstraction 
or  generalization ,  where  the  pieces  of  information  that  are 
shared  are  supersets  of  what  is  actually  known,  thus,  rendering 
the  shared  information  less  specific.  Thus,  with  regard  with 
the  spatiotemporal  context  of  a  shared  piece  of  information 
(describing  the  when  and  where  contained  in  the  information) 
the  specific  time  of  an  event  may  be  abstracted,  for  example,  to 
the  day  of  the  event  or  a  range  of  days.  Similarly,  the  specific 
location  of  the  event-for  example  a  specific  street  corner-may 
be  abstracted  to  a  city  block,  or  the  entire  city,  or  county. 

Let  P{aQ.i,d0.j}  represent  a  proposition  “there  is  danger  in  an 
area  a  G  {ao  . . .  a^}  on  a  day  d  G  {do  . . .  dj}”.  For  instance, 
P{a0.3,d0 .5}  represents  the  proposition  “there  is  danger  in  one 
of  the  areas  {ao  ...  as}  on  one  of  the  days  {do  ...  df\”.  If  the 
military  coalition  conducts  an  operation  on  day  do  in  the  area 
ao,  it  may  want  to  alert  7 Z  about  the  danger  on  the  area  in  the 
specific  day.  However,  sharing  a  strong  opinion  with  TZ ,  such 


as  wP{aQ  dQ}  =  (0.9, 0.0, 0.1)  may  lead  7 Z  to  reveal  that  there 
will  be  a  military  operation  in  ao  on  do  to  T .  In  such  situations, 
an  obfuscation  strategy  could  involve  sharing  a  more  general 
opinion  such  as  wp{aQ3d05}  =  (0.9, 0.0, 0.1)  together  with 
providing  highly  uncertain  opinions  for  the  specific  areas  and 
days,  e.g.,  wP{a(jdo}  =  ...  =  wP{a^}  =  (0.05,0.05,0.9). 
The  provided  information  would  make  7Z  keep  away  from  the 
dangerous  areas  without  revealing  sensitive  information  such 
as  the  locations  and  dates  of  the  military  operations  to  T. 
This  type  of  obfuscation  is  successful  in  the  sense  that  the 
coalition’s  sensitive  information  is  kept  secret  while  allowing 
the  information  consumer  ( JZ )  to  pursue  its  plans.  Furthermore, 
the  applied  obfuscation  does  not  lead  to  any  decrease  in  the 
trustworthiness  of  the  military  coalition. 

Shared  sensory  information  can  also  be  used  to  infer  the 
type  and  location  of  sensors.  Therefore,  the  military  coalition 
can  obfuscate  the  information  before  sharing  it  with  C  to  hide 
the  positions  of  its  sensors  and  dates/locations  of  its  classified 
activities.  Similarly,  insurgents  ( J -)  obfuscate  the  information 
before  sharing  it  with  1Z  to  hide  information  about  their 
activities  and  locations;  the  news  agency  (A f)  obfuscates  the 
news  before  broadcasting  to  hide  the  identity  of  its  information 
sources. 

Having  provided  some  examples  of  the  uses  of  obfuscation, 
we  turn  our  attention  to  the  interplay  between  trust  and 
obfuscation  and  discuss  reasoning  under  obfuscation. 

V.  Interplay  between  Trust  and  Obfuscation 
A.  Relationship  between  obfuscation  and  trust 

There  is  a  clear  relationship  between  the  level  of  obfuscation 
and  trust  between  a  provider  and  a  consumer.  That  is,  the 
provider’s  level  of  trust  towards  the  consumer  determines  the 
level  of  obfuscation  the  provider  can  apply.  In  our  scenario, 
the  high  level  of  trust  between  them  means  that  military 
coalition  members  need  to  obfuscate  information  that  they 
share  with  each  other  only  slightly,  while  they  will  obfuscate 
more  drastically  information  shared  with  the  local  army  (C) 
and  NGOs  ( 1Z )  to  avoid  revealing  sensitive  information.  Lower 
levels  of  obfuscation  (i.e.,  permitting  more  inferences)  entail 
more  risk  for  the  producer  than  higher  ones,  as  additional 
inferences  could  allow  the  consumer  the  knowledge  necessary 
to  take  undesirable  actions.  That  is,  lower  level  of  obfuscation 
may  allow  a  consumer  a  spectrum  of  inferences  that  include 
sensitive  ones  (such  as  the  dates  or  locations  of  classified 
activities),  i.e.,  inferences  that  fall  in  the  critical  (red)  area  on 
the  right-side  of  Figure  4.  However,  the  producer  might  trust 
that  the  consumer  will  not  exploit  these  opportunities,  and 
when  such  a  trust  relationship  exists,  the  level  of  obfuscation 
could  be  lowered. 

Now,  excessive  obfuscation  may  make  information  received 
less  useful  for  the  consumer,  which  would  then  result  in  a 
decrease  in  the  perceived  trustworthiness  of  the  information 
provider.  Furthermore,  certain  types  of  obfuscation,  such  as 
the  injection  of  errors  in  the  information  shared  to  hinder 
certain  inferences,  can  blur  the  border  between  the  obfuscation 
and  deception.  Deception  is  defined  as  the  act  of  misleading 


another  through  intentionally  false  statements  or  fraudulent 
actions2.  When  obfuscation  crosses  the  line  into  deception,  the 
trust  of  the  party  being  deceived  towards  the  party  deceiving 
will  be  significantly  reduced,  leading  to  a  vicious  cycle  of 
decreasing  trust,  increasing  obfuscation,  and  ultimately,  de¬ 
creased  information  sharing.  Avoiding  this  cycle  is  therefore 
an  important  consideration  for  information  providers  and  con¬ 
sumers  who  depend  on  long-term  interactions  with  others.  An 
interesting  use  study  about  personal  deceptive  practices,  i.e., 
lying,  driven  by  a  Bayesian-network  model  can  be  found  in 
the  literature  [8]. 

B.  Reasoning  under  obfuscation 

Obfuscation  allows  two  parties  to  communicate  and  co¬ 
operate  through  sharing  information  while  still  protecting 
sensitive  information.  Without  obfuscation,  the  risk  of  reveal¬ 
ing  sensitive  information  would  prevent  such  communication 
and  cooperation  from  occurring,  leaving  both  parties  worse 
off.  Obfuscation  is  therefore  a  valuable  tool  in  maintaining 
cooperation  between  parties  in  highly  heterogeneous  coalition 
settings.  Given  the  utility  of  obfuscation,  coalitions  should 
be  capable  of  reasoning  in  the  presence  of  obfuscation. 
Obfuscation- aware  reasoning  may  involve  various  steps  where 
each  aspect  of  information  about  the  obfuscation  must  be 
considered.  Consumers  can  have  varying  degrees  of  knowledge 
about  the  obfuscation  of  a  particular  piece  of  information.  We 
can  roughly  categorize  this  knowledge  as  follows: 

•  complete  knowledge  of  the  obfuscation  type  and  its 
extent; 

•  knowledge  of  obfuscation  type  but  not  its  extent; 

•  knowledge  that  obfuscation  is  taking  place  (nothing  else); 
and 

•  no  obfuscation  knowledge  is  available. 

Awareness  of  the  level  at  which  obfuscation  is  taking  place 
could  suggest  the  remedial  actions  necessary  when  utilising 
obfuscated  information.  Contracts  between  parties  explicitly 
specifying  information  sharing  policies  can  provide  a  possible 
source  of  such  knowledge. 

Information  providers  and  consumers  often  agree  upon 
sharing  specific  pieces  of  information.  Such  agreements  could 
be  formalized  as  information  sharing  contracts ,  i.e.,  Qol- 
level  agreements  (QLAs),  which  express  Qol  expectations  for 
received  information.  These  QLAs  may  be  further  enriched  by 
expressing  the  intended  uses  of  information,  i.e.,  the  inferences 
to  be  made  with  the  information  provided.  This,  in  turn,  allows 
the  provider  to  determine  appropriate  levels  of  obfuscation  a 
priori  based  on  the  stated  inferences  and  the  trust  the  provider 
has  toward  the  consumer. 

In  this  way,  such  contracts  determine  the  context  in  which 
the  consumer  should  evaluate  trustworthiness  of  the  informa¬ 
tion  provider.  For  example,  if  the  consumer  (e.g.,  the  local 
army  C)  states  in  the  QLA  that  the  information  provided  shall 
be  sufficient  to  to  estimate  the  position  of  a  sniper  within  20 
meters  of  its  true  position  with  10  seconds  of  the  event  of  a 

2  http:  //dictionary,  law.  com 


sniper  shooting  (these  are  Qol  expectations),  the  provider  (e.g., 
the  military  coalition)  will  be  contractually  responsible  for 
providing  information  to  support  this  localization  task  at  the 
stated  quality  level.  He  will  not  be  obliged  to  divulge  anything 
more.  In  this  case  the  consumer  may  not  have  grounds  to 
rate  the  provider  as  untrustworthy  if  he  does  not  deliver 
information  with  stricter  Qol  levels.  This  allows  the  provider 
to  obfuscate  the  information  to  hinder  other  inferences,  such 
as  inferences  that  allow  the  positions  of  its  sensors  to  be 
determined,  without  risking  its  trustworthiness  as  long  as 
this  obfuscation  does  not  violate  the  agreement.  Note  that  a 
consumer  may  always  rate  the  provider  along  other  dimension 
as  well  such  as  cost-effectiveness,  capability,  etc.  He  may  then 
rank  them  higher  or  lower  to  other  similarly  trusted  providers 
that  may  provide  lower  or  higher  Qol;  further  discussion  on 
this  is  beyond  the  scope  of  this  paper. 

VI.  Conclusions 

Inference  management  techniques,  which  we  summarily  re¬ 
fer  to  somehow  imprecisely  as  obfuscation,  are  necessary,  and 
often  desirable,  serving  to  encourage  information  sharing  in  di¬ 
verse  coalitions  by  reducing  the  perceived  risk  for  information 
providers  while  delivering  value  to  its  consumers.  However, 
such  techniques  may  also  become  problematic  when  assessing 
one’s  trust  in  the  information  received  and  its  providers.  There 
exists  then  a  need  for  techniques  which  facilitate  the  identifica¬ 
tion  of  appropriate  obfuscation  methods,  as  well  as  techniques 
for  reasoning  with  obfuscated  information.  Addressing  this 
need  requires  an  understanding  of  the  complex  relationship 
between  obfuscation  and  trust.  In  this  paper,  we  described 
the  concepts  of  trust  and  obfuscation,  and  examined  their 
relationship  through  a  coalition  scenario.  We  demonstrated 
how  information  consumers  evaluate  their  trust  in  information 
providers  using  the  subjective  logic  operator  toolset.  Then, 
we  discussed,  through  our  scenario,  how  obfuscation  can 
be  utilised  to  prevent  sensitive  inferences  without  decreasing 
information  consumers’  trust  in  the  providers.  Lastly,  we 
introduced  the  concept  of  Qol- level  agreements  to  serve  as 
contracts  between  information  consumers  and  providers  to 
determine  the  context  of  information  sharing  and  the  level  of 
obfuscation. 

As  a  future  work,  we  would  like  to  leverage  existing 
knowledge  representation  approaches  to  represent  and  reason 
about  Qol-level  agreements.  We  also  want  to  examine  how 
these  agreements  can  be  utilised  within  normative  distributed 
systems,  i.e.,  multi-agent  systems,  to  promote  information 
sharing  without  compromising  sensitive  information. 

Acknowledgements 

The  authors  would  like  to  thank  Supriyo  Chakraborty  for 
enlightening  discussions  during  the  course  of  this  project. 

This  research  was  sponsored  by  the  U.S.  Army  Research 
Laboratory  and  the  U.K.  Ministry  of  Defence  and  was  accom¬ 
plished  under  Agreement  Number  W911NF-06-3-0001.  The 
views  and  conclusions  contained  in  this  document  are  those 


of  the  author(s)  and  should  not  be  interpreted  as  representing 
the  official  policies,  either  expressed  or  implied,  of  the  U.S. 
Army  Research  Laboratory,  the  U.S.  Government,  the  U.K. 
Ministry  of  Defence  or  the  U.K.  Government.  The  U.S.  and 
U.K.  Governments  are  authorized  to  reproduce  and  distribute 
reprints  for  Government  purposes  notwithstanding  any  copy¬ 
right  notation  hereon. 

References 

[1]  D.  E.  Bakken,  R.  Parameswaran,  D.  M.  Blough,  A.  A.  Franz,  and  T.  J. 
Palmer,  “Data  obfuscation:  Anonymity  and  desensitization  of  usable  data 
sets,”  IEEE  Security  and  Privacy,  vol.  2,  no.  6,  pp.  34-41,  2004. 

[2]  C.  Bisdikian,  L.  M.  Kaplan,  M.  B.  Srivastava,  D.  J.  Thornley,  D.  Verma, 
and  R.  I.  Young,  “Quality  of  sensor-originated  information  in  coalition 
information  networks,”  in  Network  Science  for  Military  Coalition  Opera¬ 
tions:  Information  Exchange  and  Interaction,  D.  Verma,  Ed.  IGI  Global, 
2010,  pp.  15-41. 

[3]  C.  Bisdikian,  M.  Sensoy,  T.  J.  Norman,  and  M.  B.  Srivastava,  “Trust  and 
obfuscation  principles  for  quality  of  information  in  emerging  pervasive 
environments,”  in  Workshop  on  Information  Quality  and  Quality  of 
Service  for  Pervasive  Computing  (IQ2S12),  2012. 

[4]  A.  Jpsang  and  T.  Bhuiyan,  “Optimal  trust  network  analysis  with  subjective 
logic,”  in  SECURWARE’08,  Cap  Esterel,  France,  Aug.  25-31  2008. 

[5]  D.  Gambetta,  Trust:  Making  and  Breaking  Cooperative  Relations.  Black- 
well,  1990. 

[6]  A.  Jpsang,  R.  Ismail,  and  C.  Boyd,  “A  survey  of  trust  and  reputation 
systems  for  online  service  provision,”  Decis.  Support  Syst.,  vol.  43,  pp. 
618-644,  2007. 

[7]  M.  Duckham  and  L.  Kulik,  “A  formal  model  of  obfuscation  and  nego¬ 
tiation  for  location  privacy,”  in  3rd  Inf  l  Conf  on  Pervasive  Computing, 
PERVASIVE  2005,  Munich,  Germany,  May  8-13,  2005. 

[8]  X.  An,  D.  Jutla,  and  N.  Cercone,  “Reasoning  about  obfuscated  private 
information:  who  have  lied  and  how  to  lie,”  in  5th  ACM  Wkshp  on  Privacy 
in  Electronic  Society  (WPES’06),  Alexandria,  Virginia,  USA,  Oct.  30- 
Nov.  3,  2006. 


